New Cross-Platform Backdoors Target Linux, Windows

Researchers at Kaspersky Lab have discovered a Linux backdoor that has been migrated to Windows and added a series of new capabilities.

The malware was initially spotted on Linux systems, where it had a full set of features that allowed the attackers to monitor all a victim’s activities, including the ability to capture audio and take screenshots. Researchers discovered that the backdoor was written in C++ and Qt, a cross-platform application framework, and that it was compiled toward the end of September 2015.

Called DropboxCache, also known as Backdoor.Linux.Mokes.a, the malware connects to a hardcoded command and control (C&C) server, after which it performs an HTTP request every minute and receives one-byte images in response, Kaspersky Lab’s Stefan Ortloff explains in a blog post. The backdoor connects to TCP port 433 using a custom protocol and AES encryption to receive data and commands from the C&C server, Ortloff said.

According to Kaspersky, the malware authors didn’t put effort into obfuscating the code in any way, making it easier to analyze.

The second backdoor the researchers discovered is called OLMyJuxM.exe (Backdoor.Win32.Mokes.imv), which emerged recently on Windows-based systems. According to Kaspersky, the analysis of this piece of malware quickly revealed that it is a 32-bit Windows variant of Backdoor.Linux.Mokes.a.

The malware uses the SetWindowsHook API for keylogger functionality and for monitoring mouse inputs and internal messages posted to the message queue. The backdoor then contacts the C&C server for commands, and continues to connect to it once per minute by sending a heartbeat signal via HTTP (GET /v1), the same as the Linux variant.

The cybercriminals behind the malware have designed it to receive commands and to upload or download additional resources via TCP Port 433. Researchers also explain that the Windows backdoor uses the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data.

Further analysis of the malicious program revealed that it also includes code to capture images from a connected camera, such as a built-in webcam. Additionally, Kaspersky researchers explain that, unlike the Linux variant, the Windows malware has the keylogger active from the start.

However, the same as the Linux backdoor, this malicious program’s binary contains a series of suspicious strings. To ensure that Windows does not find the malware suspicious and that it does not ask users to confirm execution, the authors used a trusted certificate issued by COMODO RSA Code Signing CA, but the researchers did not share the name of the entity which the certificate was issued to.

Kaspersky Lab researchers warn that the malware appears to have been designed to be platform independent, suggesting that it might not be too long before a Mac OS X variant emerges. As always, users are advised to have an anti-virus program enabled on their systems and kept up to date, as well as to avoid opening emails from unknown sources, clicking on suspicious attachments or links, or installing applications from untrusted sources.